Questions 19 to 21
Explanations for questions 19 to 21
We'll cover the following
Question 19#
A government agency uses CloudFront for a web application that receives personally identifiable information (PII) from citizens. What feature of CloudFront applies an extra level of encryption at CloudFront Edge locations to ensure the PII data is secured end-to-end?
- Object invalidation
- Field-level encryption
- RTMP distribution
- Origin access identity
Correct Answer: 2
Explanation: Amazon Cloudfront can be used to enforce secure end-to-end connections, using HTTPS, to origin servers. An additional security layer gets added via Field-level encryption. This lets you protect specific data throughout system processing so that only certain applications can see it.
Field-level encryption allows you to enable your users to upload sensitive data to your web servers securely. This sensitive data is encrypted at the edge and remains encrypted throughout your entire application stack, ensuring that only the applications that require this data can do so.
INCORRECT: “Object invalidation” is incorrect. Object invalidation is a method to remove objects from the cache.
CORRECT: “Field-level encryption” is the correct answer.
INCORRECT: “RTMP distribution” is incorrect. An RTMP distribution is a method of streaming media using Adobe Flash.
INCORRECT: “Origin access identity” is incorrect. Origin access identity applies to S3 bucket origins, not web servers.
References: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html
Question 20#
A company has multiple Amazon VPCs that are peered with each other. The company would like to use a single Elastic Load Balancer (ELB) to route traffic to multiple EC2 instances in peered VPCs within the same region. How can this be achieved?
- This is not possible; the instances that an ELB routes traffic to must be in the same VPC.
- This is possible using the Classic Load Balancer (CLB) if using Instance IDs.
- This is possible using the Network Load Balancer (NLB) and Application Load Balancer (ALB) if using IP addresses as targets.
- This is not possible with ELB; you need to use Route 53.
Correct Answer: 3
Explanation: With ALB and NLB, IP addresses can be used to register:
- Instances in a peered VPC.
- AWS resources that are addressable by IP address and port.
- On-premises resources linked to AWS through Direct Connect or a VPN connection.
INCORRECT: “This is not possible; the instances that an ELB routes traffic to must be in the same VPC.” is incorrect. Instances can be in peered VPCs.
INCORRECT: “This is possible using the Classic Load Balancer (CLB) if using Instance IDs.” is incorrect. This is not possible with the CLB.
CORRECT: “This is possible using the Network Load Balancer (NLB) and Application Load Balancer (ALB) if using IP addresses as targets.” is the correct answer.
INCORRECT: “This is not possible with ELB; you need to use Route 53.” is incorrect. This is not true as detailed above.
References: https://aws.amazon.com/blogs/aws/new-application-load-balancing-via-ip-address-to-aws-on-premises-resources/
Question 21#
Some data has become corrupted in an Amazon RDS database. A solutions architect plans to use point-in-time restore to recover the data to the last known good configuration. Which of the following statements is correct about restoring an RDS database to a specific point-in-time? (Select TWO)
- You can restore up to the last five minutes.
- Custom DB security groups are applied to the new DB instance.
- You can restore up to the last one minute.
- The default DB security group is applied to the new DB instance.
- The database restore overwrites the existing database.
Correct Answer: 1, 4
Explanation:
You can restore a DB instance to a specific point in time, creating a new DB instance. When you restore a DB instance to a point in time, the default DB security group is applied to the new DB instance. If you need custom DB security groups applied to your DB instance, you must apply them explicitly using the AWS Management Console, the AWS CLI modify-db-instance command, or the Amazon RDS API ModifyDBInstance operation after the DB instance is available.
Restored DBs will always be a new RDS instance with a new DNS endpoint, and you can restore up to the last five minutes.
CORRECT: “You can restore up to the last five minutes.” is a correct answer.
INCORRECT: “Custom DB security groups are applied to the new DB instance” is incorrect. Only default DB parameters and security groups are restored; you must manually associate all other DB parameters and SGs.
INCORRECT: “You can restore up to the last one minute.” is incorrect. You can restore up to the last five minutes.
CORRECT: “The default DB security group is applied to the new DB instance.” is also a correct answer.
INCORRECT: “The database restore overwrites the existing database.” is incorrect. You cannot restore from a DB snapshot to an existing DB. A new instance is created when you restore.
References: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PIT.html
Questions 16 to 18
Questions 22 to 24